<html>
<head><meta charset="utf-8"><title>const safety · t-compiler/const-eval · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/index.html">t-compiler/const-eval</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html">const safety</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="201481835"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201481835" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201481835">(Jun 20 2020 at 15:16)</a>:</h4>
<p>While workin on <a href="https://github.com/rust-lang/nomicon/pull/221">https://github.com/rust-lang/nomicon/pull/221</a> and discussion in <a href="https://github.com/rust-lang/rust/issues/51909">https://github.com/rust-lang/rust/issues/51909</a> I've reached the point where I don't know anymore what const safety even is. As far as I can tell we have literally just the situation where some safe code can cause a non-panic CTFE abort, which is nearly indistinguishable from a panic CTFE abort. Ever since we resolved to not add more features to implicit promotion, I don't see why anything here would ever be a problem</p>



<a name="201481918"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201481918" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201481918">(Jun 20 2020 at 15:18)</a>:</h4>
<p>Like... I realize it's not great if we have more post-monomorphization errors, but it's not unsound to have them</p>



<a name="201481928"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201481928" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201481928">(Jun 20 2020 at 15:19)</a>:</h4>
<p>For constant items we check the final values, for const generics we have even more restrictive plans</p>



<a name="201483265"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201483265" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201483265">(Jun 20 2020 at 15:52)</a>:</h4>
<p>one concern here is defining what one can in general expect from a safe const fn</p>



<a name="201483278"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201483278" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201483278">(Jun 20 2020 at 15:52)</a>:</h4>
<p>from a safe fn we all agree you can expect "no UB". from a safe const fn I think we should be able to expect additionally "no CTFE-unsupported operations".</p>



<a name="201483799"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201483799" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201483799">(Jun 20 2020 at 16:02)</a>:</h4>
<p>it's a nice feature to have, but how does it relate to soundness? I always consider <code>const fn</code> to be a convenient way to write the same things that you could have written with a bunch of generic traits and associated constants. And whatever you muck up there will just cause post-monomorphization errors. Uncool, but not inherently problematic. So if we mirror this to <code>const fn</code>. Sure, there'll be errors at compile-time that have nothing to do with the logic written in the program, but with (inherent) limitations of CTFE.</p>



<a name="201484081"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201484081" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201484081">(Jun 20 2020 at 16:07)</a>:</h4>
<p>I guess if we generally lifted const-specific restrictions within <code>unsafe</code>, this discussion makes more sense. It's not just going to hit CTFE limits to do pointers comparisons, but also if you call non-const fn, call function pointers that point to anything but <code>const fn</code>s, write to a <code>static</code>, read from a <code>static</code>s mutable part, ...</p>



<a name="201484099"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201484099" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201484099">(Jun 20 2020 at 16:07)</a>:</h4>
<p>I'm not saying we should lift those, but any of these would require the same discussion</p>



<a name="201484191"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201484191" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201484191">(Jun 20 2020 at 16:09)</a>:</h4>
<p>just like dereferencing a raw pointer is unsafe at runtime because the pointer could point anywhere, calling a function pointer in const eval is unsafe, because it could point anywhere</p>



<a name="201484288"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201484288" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201484288">(Jun 20 2020 at 16:10)</a>:</h4>
<p>it's <em>not defined</em> (even if the impl does something specific, like error) what happens when you multiply two <code>usize</code> that were derived from pointers, and not defined is like the definition of UB</p>



<a name="201484300"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201484300" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201484300">(Jun 20 2020 at 16:10)</a>:</h4>
<p>or am I going off in the wrong direction again?</p>



<a name="201484312"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201484312" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201484312">(Jun 20 2020 at 16:11)</a>:</h4>
<p>(I'm going to use this discussion here to write up something in <a href="https://github.com/rust-lang/rust/issues/51909">#51909</a> )</p>



<a name="201491458"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201491458" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201491458">(Jun 20 2020 at 18:52)</a>:</h4>
<p>Isn't a compile time evaluation error <em>sometimes</em> undetectable UB and <em>sometimes</em> a detectable but impossible operation? The latter seems more like a panic, and it's safe to panic.</p>



<a name="201526486"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201526486" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201526486">(Jun 21 2020 at 09:33)</a>:</h4>
<p><span class="user-mention silent" data-user-id="124288">oli</span> <a href="#narrow/stream/146212-t-compiler.2Fconst-eval/topic/const.20safety/near/201484288">said</a>:</p>
<blockquote>
<p>it's <em>not defined</em> (even if the impl does something specific, like error) what happens when you multiply two <code>usize</code> that were derived from pointers, and not defined is like the definition of UB</p>
</blockquote>
<p>Undefined Behavior is, confusingly, not about being "not defined". See <a href="https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#undefined-behavior">e.g. this definition</a>.</p>



<a name="201526534"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201526534" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201526534">(Jun 21 2020 at 09:34)</a>:</h4>
<p>(It used to be about that back in the 80s or so, but C compiler devs have evolved the term to mean something else entirely.)</p>



<a name="201526561"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201526561" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201526561">(Jun 21 2020 at 09:35)</a>:</h4>
<p>CTFE will never cause "UB" in the sense that the host compiler has UB and deletes your source files or so... and it is not compiled to anything so there's no UB due to that either. I guess one question here is whether want to leave room for optimizing MIR before CTFE, or compiling it to a JITable bytecode, or so?</p>



<a name="201526622"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201526622" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201526622">(Jun 21 2020 at 09:37)</a>:</h4>
<p>we could make CTFE misbehavior "unspecified behavior". that means we should list what the possible behaviors are, which I guess is "const-eval will return some arbitrary thing and leave arbitrary stuff in the memory that gets interned". but the compiler won't crash or eat your kittens.</p>



<a name="201526629"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201526629" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201526629">(Jun 21 2020 at 09:37)</a>:</h4>
<p>(this means that if we JIT it needs to sandbox or boundscheck or so)</p>



<a name="201631458"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146212-t-compiler/const-eval/topic/const%20safety/near/201631458" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146212-t-compiler/const-eval/topic/const.20safety.html#201631458">(Jun 22 2020 at 16:51)</a>:</h4>
<p>I wrote something: <a href="https://github.com/rust-lang/rust/issues/51909#issuecomment-647643036">https://github.com/rust-lang/rust/issues/51909#issuecomment-647643036</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>